freeradius security update

2005-06-2320:24:57

CentOS Project

lists.centos.org

0.005 Low

EPSS

Percentile

75.4%

JSON

CentOS Errata and Security Advisory CESA-2005:524

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A buffer overflow bug was found in the way FreeRADIUS escapes data in an
SQL query. An attacker may be able to crash FreeRADIUS if they cause
FreeRADIUS to escape a string containing three or less characters. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-1454 to this issue.

Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is
possible that an authenticated user could execute arbitrary SQL queries by
sending a specially crafted request to FreeRADIUS. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1455 to this issue.

Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2005-June/074054.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074056.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074057.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074058.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074063.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074065.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074066.html

Affected packages:
freeradius
freeradius-mysql
freeradius-postgresql
freeradius-unixODBC

Upstream details at:
https://access.redhat.com/errata/RHSA-2005:524

OSVersionArchitecturePackageVersionFilename
CentOS4ia64freeradius< 1.0.1-3.RHEL4freeradius-1.0.1-3.RHEL4.ia64.rpm
CentOS4ia64freeradius-mysql< 1.0.1-3.RHEL4freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm
CentOS4ia64freeradius-postgresql< 1.0.1-3.RHEL4freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
CentOS4ia64freeradius-unixodbc< 1.0.1-3.RHEL4freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm
CentOS3ia64freeradius< 1.0.1-1.1.RHEL3freeradius-1.0.1-1.1.RHEL3.ia64.rpm
CentOS3ia64freeradius-mysql< 1.0.1-1.1.RHEL3freeradius-mysql-1.0.1-1.1.RHEL3.ia64.rpm
CentOS3ia64freeradius-postgresql< 1.0.1-1.1.RHEL3freeradius-postgresql-1.0.1-1.1.RHEL3.ia64.rpm
CentOS3ia64freeradius-unixodbc< 1.0.1-1.1.RHEL3freeradius-unixODBC-1.0.1-1.1.RHEL3.ia64.rpm
CentOS4x86_64freeradius< 1.0.1-3.RHEL4freeradius-1.0.1-3.RHEL4.x86_64.rpm
CentOS4x86_64freeradius-mysql< 1.0.1-3.RHEL4freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	4	ia64	freeradius	< 1.0.1-3.RHEL4	freeradius-1.0.1-3.RHEL4.ia64.rpm
CentOS	4	ia64	freeradius-mysql	< 1.0.1-3.RHEL4	freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm
CentOS	4	ia64	freeradius-postgresql	< 1.0.1-3.RHEL4	freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
CentOS	4	ia64	freeradius-unixodbc	< 1.0.1-3.RHEL4	freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm
CentOS	3	ia64	freeradius	< 1.0.1-1.1.RHEL3	freeradius-1.0.1-1.1.RHEL3.ia64.rpm
CentOS	3	ia64	freeradius-mysql	< 1.0.1-1.1.RHEL3	freeradius-mysql-1.0.1-1.1.RHEL3.ia64.rpm
CentOS	3	ia64	freeradius-postgresql	< 1.0.1-1.1.RHEL3	freeradius-postgresql-1.0.1-1.1.RHEL3.ia64.rpm
CentOS	3	ia64	freeradius-unixodbc	< 1.0.1-1.1.RHEL3	freeradius-unixODBC-1.0.1-1.1.RHEL3.ia64.rpm
CentOS	4	x86_64	freeradius	< 1.0.1-3.RHEL4	freeradius-1.0.1-3.RHEL4.x86_64.rpm
CentOS	4	x86_64	freeradius-mysql	< 1.0.1-3.RHEL4	freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm